Merge branch 'master' into f19

Conflicts: ppp.spec
2013-07-30 17:19:08 +02:00 · 2013-07-30 17:19:08 +02:00 · 2adf79112c
parent bab4af81ee 91f7b1a030
commit 2adf79112c
2 changed files with 103 additions and 10 deletions
--- a/ppp-2.4.5-hardened.patch
+++ b/ppp-2.4.5-hardened.patch
@ -0,0 +1,80 @@
+diff -up ppp-2.4.5/chat/Makefile.linux.hardened ppp-2.4.5/chat/Makefile.linux
+--- ppp-2.4.5/chat/Makefile.linux.hardened	2013-07-28 16:36:54.379766667 +0200
+++ ppp-2.4.5/chat/Makefile.linux	2013-07-28 16:37:25.816760232 +0200
+@@ -10,7 +10,7 @@ CDEF3=	-UNO_SLEEP			# Use the usleep fun
+ CDEF4=	-DFNDELAY=O_NDELAY		# Old name value
+ CDEFS=	$(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4)
+ 
+-COPTS=	$(RPM_OPT_FLAGS)
+COPTS=	$(RPM_OPT_FLAGS) -fPIE
+ CFLAGS=	$(COPTS) $(CDEFS)
+ 
+ INSTALL= install
+@@ -18,7 +18,7 @@ INSTALL= install
+ all:	chat
+ 
+ chat:	chat.o
+-	$(CC) -pie -o chat chat.o
+	$(CC) -z now -pie -o chat chat.o
+ 
+ chat.o:	chat.c
+ 	$(CC) -c $(CFLAGS) -o chat.o chat.c
+diff -up ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux.hardened ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux
+--- ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux.hardened	2013-07-28 16:38:50.454744701 +0200
+++ ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux	2013-07-28 16:39:30.297737993 +0200
+@@ -27,11 +27,11 @@ INSTALL	= install
+ RP_VERSION=3.8p
+ 
+ COPTS=$(RPM_OPT_FLAGS)
+-CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
+CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' -fPIE
+ all: rp-pppoe.so pppoe-discovery
+ 
+ pppoe-discovery: pppoe-discovery.o debug.o
+-	$(CC) -o pppoe-discovery pppoe-discovery.o debug.o
+	$(CC) -z now -pie -o pppoe-discovery pppoe-discovery.o debug.o
+ 
+ pppoe-discovery.o: pppoe-discovery.c
+ 	$(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c
+diff -up ppp-2.4.5/pppdump/Makefile.linux.hardened ppp-2.4.5/pppdump/Makefile.linux
+--- ppp-2.4.5/pppdump/Makefile.linux.hardened	2013-07-28 16:38:09.270751992 +0200
+++ ppp-2.4.5/pppdump/Makefile.linux	2013-07-28 16:38:34.296747511 +0200
+@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@
+ BINDIR = $(DESTDIR)/sbin
+ MANDIR = $(DESTDIR)/share/man/man8
+ 
+-CFLAGS= $(RPM_OPT_FLAGS) -I../include/net
+CFLAGS= $(RPM_OPT_FLAGS) -I../include/net -fPIE
+ OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
+ 
+ INSTALL= install
+@@ -10,7 +10,7 @@ INSTALL= install
+ all:	pppdump
+ 
+ pppdump: $(OBJS)
+-	$(CC) -o pppdump $(OBJS)
+	$(CC) -z now -pie -o pppdump $(OBJS)
+ 
+ clean:
+ 	rm -f pppdump $(OBJS) *~
+diff -up ppp-2.4.5/pppstats/Makefile.linux.hardened ppp-2.4.5/pppstats/Makefile.linux
+--- ppp-2.4.5/pppstats/Makefile.linux.hardened	2013-07-28 16:40:28.737728584 +0200
+++ ppp-2.4.5/pppstats/Makefile.linux	2013-07-28 16:40:49.130725389 +0200
+@@ -11,7 +11,7 @@ PPPSTATOBJS = pppstats.o
+ 
+ #CC = gcc
+ COPTS = $(RPM_OPT_FLAGS)
+-COMPILE_FLAGS = -I../include
+COMPILE_FLAGS = -I../include -fPIE
+ LIBS =
+ 
+ INSTALL= install
+@@ -26,7 +26,7 @@ install: pppstats
+ 	$(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
+ 
+ pppstats: $(PPPSTATSRCS)
+-	$(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
+	$(CC) $(CFLAGS) -z now -pie -o pppstats pppstats.c $(LIBS)
+ 
+ clean:
+ 	rm -f pppstats *~ #* core
--- a/ppp.spec
+++ b/ppp.spec
@ -1,7 +1,9 @@
+%global _hardened_build 1
+
 Summary: The Point-to-Point Protocol daemon
 Name: ppp
 Version: 2.4.5
-Release: 30%{?dist}
+Release: 31%{?dist}
 License: BSD and LGPLv2+ and GPLv2+ and Public Domain
 Group: System Environment/Daemons
 URL: http://www.samba.org/ppp
@ -35,10 +37,10 @@ Patch31: ppp-2.4.5-lock.patch
 Patch32: ppp-2.4.5-l2tp-multilink.patch
 Patch33: ppp-2.4.5-radius-config.patch
 Patch34: ppp-2.4.5-crypt.patch
+Patch35: ppp-2.4.5-hardened.patch

-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: pam-devel, libpcap-devel, openssl-devel
-Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6 systemd-units
+BuildRequires: pam-devel, libpcap-devel, openssl-devel, systemd
+Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd
 Requires(pre): /usr/bin/getent
 Requires(pre): /usr/sbin/groupadd

@ -88,6 +90,7 @@ This package contains the header files for building plugins for ppp.
 %patch32 -p1 -b .l2tp-multilink
 %patch33 -p1 -b .radius
 %patch34 -p1 -b .crypt
+%patch35 -p1 -b .hardened

 rm -f scripts/*.local
 rm -f scripts/*.change_resolv_conf
@ -119,8 +122,8 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/ppp
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/ppp
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lock/ppp

-install -d -m 755 $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d
-install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/ppp.conf
+install -d -m 755 $RPM_BUILD_ROOT%{_tmpfilesdir}
+install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_tmpfilesdir}/ppp.conf

 # Logrotate script
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
@ -129,6 +132,9 @@ install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/ppp
 %pre
 getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :

+%post
+mkdir -p %{_localstatedir}/lock/ppp
+
 %files
 %defattr(-,root,root)
 %{_sbindir}/chat
@ -146,10 +152,9 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :
 %{_libdir}/pppd
 %dir %{_sysconfdir}/ppp
 %dir %{_localstatedir}/run/ppp
-%dir %{_localstatedir}/lock/ppp
+%ghost %dir %{_localstatedir}/lock/ppp
 %dir %{_sysconfdir}/logrotate.d
 %attr(700, root, root) %dir %{_localstatedir}/log/ppp
-%config %{_prefix}/lib/tmpfiles.d/ppp.conf
 %config(noreplace) %{_sysconfdir}/ppp/eaptls-client
 %config(noreplace) %{_sysconfdir}/ppp/eaptls-server
 %config(noreplace) %{_sysconfdir}/ppp/chap-secrets
@ -157,6 +162,7 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :
 %config(noreplace) %{_sysconfdir}/ppp/pap-secrets
 %config(noreplace) %{_sysconfdir}/pam.d/ppp
 %config(noreplace) %{_sysconfdir}/logrotate.d/ppp
+%{_tmpfilesdir}/ppp.conf
 %doc FAQ README README.cbcp README.linux README.MPPE README.MSCHAP80 README.MSCHAP81 README.pwfd README.pppoe scripts sample README.eap-tls

 %files devel
@ -165,6 +171,13 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :
 %doc PLUGINS

 %changelog
+* Tue Jul 30 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-31
+- don't ship /var/lock/ppp in rpm payload and create it in %post instead
+- fix installation of tmpfiles.d configuration
+- enable hardened build
+- fix bogus dates in changelog
+- compile all binaries with hardening flags
+
 * Thu Jul 04 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30
 - fix possible NULL pointer dereferencing

@ -387,7 +400,7 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :
 * Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
 - rebuilt

-* Wed May 24 2004 David Woodhouse <dwmw2@redhat.com> 2.4.2-2.3
+* Mon May 24 2004 David Woodhouse <dwmw2@redhat.com> 2.4.2-2.3
 - Enable IPv6 support. Disable PIE to avoid bogus Provides:

 * Fri May 14 2004 Thomas Woerner <twoerner@redhat.com> 2.4.2-2.2
@ -509,7 +522,7 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :
 * Fri Apr 09 1999 Cristian Gafton <gafton@redhat.com>
 - force pppd use the glibc's logwtmp instead of implementing its own

-* Wed Apr 01 1999 Preston Brown <pbrown@redhat.com>
+* Thu Apr 01 1999 Preston Brown <pbrown@redhat.com>
 - version 2.3.7 bugfix release

 * Tue Mar 23 1999 Cristian Gafton <gafton@redhat.com>